Efficient protection of kernel data structures via object partitioning
This presentation is the property of its rightful owner.
Sponsored Links
1 / 22

Efficient Protection of Kernel Data Structures via Object Partitioning PowerPoint PPT Presentation


  • 73 Views
  • Uploaded on
  • Presentation posted in: General

Efficient Protection of Kernel Data Structures via Object Partitioning. Abhinav Srivastava , Jonathon Giffin AT&T Labs-Research, HP Fortify ACSAC 2012. Outline. Introduction Related Work Sentry System Implementation Evaluation Conclusion. Introduction.

Download Presentation

Efficient Protection of Kernel Data Structures via Object Partitioning

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Efficient protection of kernel data structures via object partitioning

Efficient Protection of Kernel Data Structures via Object Partitioning

AbhinavSrivastava, Jonathon Giffin

AT&T Labs-Research, HP Fortify

ACSAC 2012


Outline

Outline

  • Introduction

  • Related Work

  • Sentry System

  • Implementation

  • Evaluation

  • Conclusion


Introduction

Introduction

  • Kernel-level malicious malware often uses DKOM(Direct Kernel Object Manipulation) to hide the process from the kernel’s process accounting list.

  • They may also escalate a process’ privileges by overwriting the process’ credentials with those for a root or administrative user

  • We present a system called Sentry that creates access control protections for security-critical kernel data.


Related work

Related Work

  • Petroni et al. detect process which reachable in scheduler but not in process accounting list.

    • Cannot detect the list of loaded kernel modules, which do not offer multiple views.

  • XFI and BGI guarded write instructions subject to access control policy constraints.

    • Require all kernel drivers and modules to use this system

    • Low performance.


Sentry system

Sentry System

  • Page-level Granularity: use hardware’s page read/write protection to enforce access control policy

  • Partitioning: to separate kernel data structure into regionswhich have different access control policies

  • Based on VM: to get full control to hardware page-fault handling and management


Sentry system1

Sentry System


Page level granularity

Page-level Granularity

  • Old methods

    • Applying policy checking is to check all possible write operation to kernel data Slow performance

    • Protecting a single security-critical member requires whole page to be protected Low memory utility

  • Sentry use structure partitioning and page write protection to apply access control policies


Page level granularity cont

Page-level Granularity (Cont.)

  • How page write protection protect the data?

  • Simply using the write flag in page data structure

  • If someone tries to write to a protected page, a page fault happen, and a function sh_page_fault in XEN hypervisor is called to handle this event

  • Sentry changes the handling function to add a policy check:

    • If write is valid, then ignore this page fault and perform write operation

    • If write is invalid, then the write operation is denied


Partitioning

Partitioning

  • Structures such as task_structand modulecontains a mix of security-critical and not-critical fields

  • Structure Division

  • Structure Alignment


Partitioning structure division

Partitioning - Structure Division

  • Split original Objby creating a new data structure insecure_Objcontaining non-critical fields

structtask_struct

structtask_struct

uid_tuid, euid, suid

uid_tuid, euid, suid

gid_tgid, egid, sgid

gid_tgid, egid, sgid

u64 acct_rss_mem1

structlist_head tasks

u64 acct_vm_mem1

char comm[16]

structlist_head tasks

insecure_task_struct *insecure

void *journal_info

structinsecure_task_struct

unsigned long personality

unsigned long personality

structaudit_context *audit_context

structaudit_context *audit_context

char comm[16]

void *journal_info

u64 acct_rss_mem1

...

u64 acct_vm_mem1


Partitioning structure alignment

Partitioning - Structure Alignment

  • Add a buffer to original Obj to separate security-critical members and non-critical members away

  • This can be done by using compiler options to insert or remove the alignment buffer

Page Size

struct module

struct module

enummodule_state state

enummodule_state state

structlist_head list

structlist_head list

char name[MODULE_NAME_LEN]

char buffer[BIG_SPACE]

const char *version

const char *srcversion

char name[MODULE_NAME_LEN]

...

const char *version

const char *srcversion

...


Policy

Policy

A valid write operation can be performed by:

  • Trusted core kernel, such as core kernel code from symbol _text to _etext, kernel boot code from symbol __init_beginto __init_end

  • Trusted Upgraders: Alteration reachable from most exported kernel functions, such as API provided by the Kernel


Page creation registration

Page Creation & Registration

  • When creating a new instance of protected structure, Objand insecure_Objare put into a page frame separately, and add page write protection on the page containing Obj

  • The page frame number(PFN) then send to Sentry system using VMCALL, a method to pass data to hypervisor, to tell which page frame needs mediation


Implementation

Implementation

  • Use Linux 2.6 and Xen hypervisor

  • Change task_structand modulestructure using division and alignment respectively

  • Change Linux source code where use those structures into correct variable

    • current->journal_infocurrent->insecure->journal_info

    • Alter 0.036%(2536/7041452) SLOC(Source Line of Code) in Linux 2.6

    • This can be done by source-to-source transformation techniques, such as provided by CIL


Implementation cont

Implementation (Cont.)

  • Structure Division

    • Apply on task_struct structure only

    • Categorized 28 of 122 members as critical

    • Change structure creation function kmem_cache_allocinto get_free_pagesand kmalloc

  • Structure Alignment

    • Apply on modulestructure only

    • Categorized 2 of 29 members as critical

    • Only a recompilation of the kernel


Implementation cont1

Implementation (Cont.)

  • APIs to communicate to hypervisor

    • addPFNtoDB, removePFNfromDB, checkPFNinDB

  • Modify __sh_propagateto make a shadow of memory of guest operating system for monitor

  • Sentry check write operation’s vaildityby the eipregister when sh_page_faultis called, and traverse the stack frame using ebpto get full call trace


Evaluation

Evaluation

  • Attack Prevention and Detection


Evaluation cont

Evaluation (Cont.)

  • Performance on loading and unloading modules

    • Normal: no kernel memory protection

    • Protected: protection without partitioning

    • Sentry: both memory protection and partitioning


Evaluation cont1

Evaluation (Cont.)

  • Performance on file system read/write

  • Memory page utility

    • A partitioned kernel used 6502 pages as compared to 6302 pages used by the unpartitioned kernel


Evaluation cont2

Evaluation (Cont.)

  • Performance on real world jobs

  • Performance on process data structure

    • 1000 µs = 1 ms


Evaluation cont3

Evaluation (Cont.)

  • False Positive Analysis

  • Since benign modules don’t directly modify security-critical kernel data, and uses exported APIs provided by kernel

    • For example, benign modules don’t directly modify run_list, but using enqueue_taskand dequeue_taskto modify this member, and those functions are valid APIs, so the modules can still works fine

  • Our system did not show any false positives and detected all attacks


Conclusion

Conclusion

  • We create protected memory regions within the unified kernel data space.

  • We show how to optimize kernel memory space layout for the protection constraints created by our system.

  • We design and develop a system, Sentry, which is capable of protecting both statically and dynamically allocated data structures.


  • Login